New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Validation XML Schemas do not forbid file system access (XXE) #1021

Closed
brianwrf opened this Issue Sep 27, 2018 · 7 comments

Comments

3 participants
@brianwrf

brianwrf commented Sep 27, 2018

Version

  • vert.x web: <= 3.5.3

Context

Just found a potential XXE vulnerability in vertx-web as show below, it seems function isValid didn't add any protection from XXE vulnerability when parsing XML document.

https://github.com/vert-x3/vertx-web/blob/3.5.3/vertx-web-api-contract/src/main/java/io/vertx/ext/web/api/validation/impl/XMLTypeValidator.java#L34

Mitigation

Follow the OWASP guide below which provides concise information to prevent this vulnerability. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

@pmlopes pmlopes self-assigned this Sep 27, 2018

@pmlopes pmlopes referenced this issue Sep 28, 2018

Merged

Issues/1021 #1022

@pmlopes pmlopes added the to review label Sep 28, 2018

@vietj vietj added this to the 3.5.4 milestone Sep 28, 2018

@pmlopes pmlopes removed the to review label Sep 28, 2018

pmlopes added a commit that referenced this issue Sep 28, 2018

@vietj vietj referenced this issue Sep 28, 2018

Closed

Vert.x 3.5.4 umbrella issue #401

22 of 22 tasks complete
@brianwrf

This comment has been minimized.

Show comment
Hide comment
@brianwrf

brianwrf Sep 28, 2018

@pmlopes Thanks for the fast fix. Is there a CVE announcement on this issue?

Cheers,
Brian

brianwrf commented Sep 28, 2018

@pmlopes Thanks for the fast fix. Is there a CVE announcement on this issue?

Cheers,
Brian

@pmlopes pmlopes changed the title from Potential XXE vulnerability in vertx-web to API Validation XML Schemas do not forbid file system access (XXE) Sep 28, 2018

@vietj

This comment has been minimized.

Show comment
Hide comment
@vietj

vietj Sep 28, 2018

Contributor

@brianwrf there might be one indeed

Contributor

vietj commented Sep 28, 2018

@brianwrf there might be one indeed

@brianwrf

This comment has been minimized.

Show comment
Hide comment
@brianwrf

brianwrf Sep 28, 2018

@vietj Thanks for your response. Can you kindly please keep me updated if the CVE announcement is ready?

brianwrf commented Sep 28, 2018

@vietj Thanks for your response. Can you kindly please keep me updated if the CVE announcement is ready?

@vietj

This comment has been minimized.

Show comment
Hide comment
@vietj

vietj Sep 28, 2018

Contributor

it will be part of the 3.5.4 release notes, so just watch this

Contributor

vietj commented Sep 28, 2018

it will be part of the 3.5.4 release notes, so just watch this

@pmlopes

This comment has been minimized.

Show comment
Hide comment
@pmlopes

pmlopes Sep 28, 2018

Member

Note

This issue is not affected by user/application input, but only by badly crafted application configuration. Users using the api contracts module with the default settings are not affected, only if explicitly enabled the XML validation and provided a malicious XSD as input.

Member

pmlopes commented Sep 28, 2018

Note

This issue is not affected by user/application input, but only by badly crafted application configuration. Users using the api contracts module with the default settings are not affected, only if explicitly enabled the XML validation and provided a malicious XSD as input.

@brianwrf

This comment has been minimized.

Show comment
Hide comment
@brianwrf

brianwrf Sep 28, 2018

@vietj @pmlopes Thanks for the confirmation.

brianwrf commented Sep 28, 2018

@vietj @pmlopes Thanks for the confirmation.

@vietj

This comment has been minimized.

Show comment
Hide comment
@vietj

vietj Oct 3, 2018

Contributor

This has been identified as CVE-2018-12544 - the CVE has not yet been fulfilled at the moment of writing this but it will be soon

Contributor

vietj commented Oct 3, 2018

This has been identified as CVE-2018-12544 - the CVE has not yet been fulfilled at the moment of writing this but it will be soon

@vietj vietj added the bug label Oct 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment